Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Lexmark is a common printer brand that the author had looked at before. In a recent update, the Firmware encryption process was changed so they decided to take a look at it after being nudged from a friend. After putting in a persistent backdoor and upgrading the firmware, they were ready to reverse engineer the system.

In the previous version, it was using an AES key stored at some location on the file system. When trying the old script, the decryption failed. After exploring the OS on the newly upgraded system, they found references to WTM. After some snooping around, they eventually found out that WTM is the Wireless Trusted Module that handles trusted boot.

On Lexmark printers, there was a rustlang init binary and a rustlang kernel module for interacting with the chips WTM interface. The WTM client interacts via netlink sockets. They really didn't want to deal with reversing the kernel driver though. So, instead, they patched the netlink sockets to use regular sockets in the PLT table. Why? Just to make it easier.

Using good ol' TCP, we could implement the kernel side server for the client. More importantly, this allows for emulation of the init binary, giving us a better test env. After simulating a good amount of the kernel driver over TCP, the client sends the kernel driver the key! Yep, it was that simple - intercept traffic to see the key.

The vendor did a better job at adding encryption to the device. The problem is that a previously pwned device already has access to it. Retrofitting a new process to an old device doesn't work because of this reason. Interesting post!